receiving error AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application

Problem: A tenant admin may receive the error “AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application…” when clicking on the “Grant Admin Consent” button in Azure AD’s App Registration portal as shown in the screen shot below: Why is this happening? This error typically happens when the Enterprise Application portion (or Service Principal) of the registered application has the setting ‘User Assignment Required’…

Read More

Exploring AzureServiceTokenProvider class with Azure Key Vault

The AzureServiceTokenProvider class from the Nuget package Microsoft.Azure.Services.AppAuthentication can be used to obtain an access token.  When running in Azure it can also utilize managed identities to request an access token.  In this post I’ll focus on using this class to get an access token for Azure Key Vault.  Keep in mind that you can also use this class to obtain an access token for any Azure resources integrated with…

Read More

Using filter query on mail-related attributes in Microsoft Graph

The user object has email addresses stored in a couple of properties: the mail and otherMails properties. Both of these properties can be used to search for certain users having the desired email addresses. Here is an example of how to use the filter query to search for user using mail property: beta endpoint: GET https://graph.microsoft.com/beta/users?$filter=mail eq ‘john@contoso.com’ v1.0 endpoint: GET https://graph.microsoft.com/v1.0/users?$filter=mail eq ‘john@contoso.com’ Unlike the mail attribute (string-type property),…

Read More

Troubleshooting ASP.NET Core Azure AD-protected Web API Authorization issues

There is plenty of content on the internet that shows you how to use ASP.NET Core Authentication pipeline to protect a Web API with Azure Active Directory.  This is all working great except when your Web API returns a 401 Unauthorized error without providing much information.  You can end up spending a lot of time, pulling your hair out trying to figure out what can go wrong even though you…

Read More

Walkthrough: How to protect an ASP.NET Core Web API application with Azure AD

Pre-requisite: The ASP.NET Core Web API project in this tutorial uses Visual Studio 2017 with .Net Core runtime version 2.2 Application Registration: We will need to create an App Registration for the web API and an App Registration for the client app calling the web API in Azure Active Directory. Web API: From the Azure portal, navigate to the Azure Active Directory blade -> App registrations -> New registration to…

Read More

How to inject custom data into the ‘state’ parameter in an OpenID Connect MVC Application

It’s often desirable for an Azure Active Directory (Azure AD)- integrated application to maintain application state when sending request to Azure AD for login. The recommended way to achieve this is to use the ‘state’ parameter as defined in the OpenID Connect standards. Also mentioned in our documentation, the ‘state’ parameter is used for both preventing cross-site request forgery attacks and to maintain user’s state before authentication request occurs: For…

Read More

Infinite sign in loop between MVC application and Azure AD

In a previous post I talked about an infinite redirect loop issue between an MVC application and Azure AD when performing sign in. In this post, we will look at another scenario which can lead to the same type of problem. Background Applications running an old version of OWIN middleware can run into this issue because of a known Katana bug. Due to a cookie mismanagement issue in the old…

Read More

How to customize SAML token claims to include custom attribute created as Directory Schema Extension in Azure AD

Background Recently I was engaged to assist a customer with an interesting issue. This customer follows the guideline at https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions to create a custom User attribute as a Directory schema extension and then assigns a value to the attribute. As an example, I have a few custom attributes created this way as can be seen by Microsoft Graph Explorer: The customer wants to have this custom attribute returned as a…

Read More

Walkthrough: MSAL.Net client calling Azure API App with Easy Auth enabled in a B2C tenant

In a previous blog post, I talked about how to use MSAL.Net client application to call an Azure Function App with Easy Auth enabled in a regular tenant. In this post, I’ll describe the process to use an MSAL.Net client application to call a Web API application with Easy Auth enabled in a B2C tenant. I assume you already have an API App created on Azure App Service. If you…

Read More

Receiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’

Problem: An application receives the following error when authenticating to Azure Active Directory: {     “error”: “invalid_client”,      “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”,     “error_codes”: [7000218],     …} What does this error mean? The error is what it said.  When authenticating to Azure AD to get an access token, the client application is not providing…

Read More